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Introduction 




Information today derived from 
Trustwave's Global Security Report 
(GSR20110) which is issued annually 

Based on findings and evidence from 
work conducted by Trustwave's 
SpiderLabs in 2010More than 200 
investigations and 2,000 penetration 
test results contributed to the analysis 
and conclusions 

- Data gathered from Top 20 GDP countries 

Download GSR: 
https://www.trustwave.com/GSR 

Download ATM Malware Report: 
https://www.trustwave.com/downloads 
/spiderlabs/Trustwave-Security-Alert- 
ATM-Malware-Analysis-Briefing.pdf 



Incident Response Investigations 



Countries Represented 




Incident Response Investigations 



Industries Represented 



75% of cases - Food & 
Beverage and Retail 

Less focus on hospitality 
than previous year 

A group responsible for 
the majority increased 
their scope 



Financial 

60/0 

Government 

6%. 




Food & 
Beverage 

57% 



Retail 

18% 



Incident Response Investigations 



Data at Risk 

Payment card data- 
simplest to monetize 

Sensitive data 

■ M&A activity 

■ Board minutes 

■ Intelligence 

■ Proprietary data 

■ Trade secrets 



Trade Secrets 

3% 

Sensitive 

Company Data 

8% 




Payment 
Card Data 

85% 



Incident Response Investigations 



Target Assets 

POS systems continue to 
be path of least 
resistance 

Most relied on 3rd party 
integrators 

EMV countries still 
a target 

■ Focus on card 
present 
environments 

■ As mag-reader POS 
still in use 
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Incident Response Investigations 



Detection Methods vs. Time 

As expected, those able to self detect, detect quicker 
Unable to self-detect, 5x longer exposure time 
Investigations showed: 

■ Role-based security training = improved detection capability 

■ Mature infosec programs and monitoring controls helped 



1 28 Days 




Regulatory Detection 



Regulatory Detect it 

1 56.5 Days 



Incident Response Investigations 



Administration Responsibility 

Third party implementation 
and maintenance agreement? 



Build in non-functional 
security requirements 



Self 
120/0 




Third Party 

88% 



Incident Response Investigations 



Window of Data Exposure 

Reality reflects intuition 

Storing data increases impact of breach 

Average "compromised" transactions 

In-transit data - 3 months 

Stored data - 18 months 



I In Transit: 

I Window of Exposure 

110.5 Days 




Stored Dala: 
Window of Exposure 

5575 Days 



Incident Response Investigations 



Origin of Attack 




ATM Attacks 



Have seen an increase in ATM-focused attacks 
The occur across the world (including cases in the 
USA, Latin America, Asia Pacific and Europe) 
Attacks to date take two forms: 

- Malware-based attacks - apparently using the USB 
interface of the ATM 

- Network-based attacks - often leveraging poorly 
secured remote access interfaces, like VNC 







ATM Malware Example 



Ranges from rudimentary memory sniffing to 

sophisticated role-based plugins 

Attacker has specific key cards to trigger 

functionality. 

Includes two-factor authentication. 

Includes the ability to print "dumps" (with 

PIN) to the receipt printer. 

Key cards exist for mules to dispense funds. 

Different cards dispense different amounts 

so leaders know who is cheating them. 

Can also dispense from different cassettes 

Malware is specific to brand of ATM - though 

evidence of different flavours of malware 

exist 



Request Code: 17Z28I 
Enter flcsponcc 
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ATM Malware Intelligence 



Intelligence about the spread of malware possible using several 
online tools. 

E.G. We first analysed the malware on the previous slide in Q.1 2009. 
Note the date below - someone has had reason to analyse this 
sample recently. 



►3 



VIRUS 
TOTAL 



OVT Community l. i c i f i ;■ ivitr- a istal sf - 'coutatkm credit) s 
user(s) with a total of reputation eroditfs) say(s) this sarrvj 



File narre: 


lsass.exe 


Submission date: 


2011-03-22 04:45:51 (UTC) 


Current status: 


finished 


Result: 


29/42(69.0%) 



Network- Based ATM Attacks 



Most recent cases have resulted from network-based attacks 

Lack of segmentation between ATM and other networks 

Poorly secured network interfaces on ATMs (especially kiosk- based 

ATMs) 

ATMs often shipped with poor default security settings 

- Default local administrator password 

- Use of remote access technologies such as VNC with poor passwords 

- Missing patches 

Trend for ATMs to be internet connected, especially in developing 

economies 

Blind-trust in ATM vendors - "its an ATM - it must be secure" 



Malware Isn't Always Required. 



Many ATMs, especially legacy devices, store a large amount of 

sensitive data in log files 

For fraud on the card brands cards (e.g. Visa, MasterCard) a track 2 

dump is often sufficient 

Example of exploitation: 

- SQL injection on public-facing website, leads to 

- Access to database server, leads to 

- Mapping of internal network, leads to 

- Access to WAN and branch-office networks, leads to 

- Discovery of VNC with blank password on ATM, leads to 

- Discovery of default administrator password on ATM, leads to 

- Discovery of log files containing track 2 data 



ATM Developments 



■ Much more research ongoing since Barnaby Jack presentation at 
BlackHat2010. 

- Discovered both network and physical security flaws 

- Developed custom firmware for ATMs to harvest data and dispense 
cassettes 

- http://www.voutube.com/watch?v=qwMuMSPW3bU 

■ Our assessment: ATMs are likely to become more heavily targeted 

- Motive is there - real money 

- Barriers to entry do not appear to be high 

- A lot of existing infrastructure in place that will be difficult to update 

- Most ATMs not making use of EMV so track 2 + PIN is usually sufficient for 
fraud 



Point of Sale Attacks 



Increase in terminal tampering attacks in 
EMV countries 

- McDonalds case in Australia last year 

- Many cases in the UK 

Increase in attacks focused on integrated 
point of sale 

- Even in EMV countries, there are industries 
that have integrated POS e.g. Hospitality 

- Attacks targeted at "double swipe" 
merchants 

■ One swipe in hardware terminal 

■ One swipe in POS for "reconciliation" 




Malware Statistics 



Data Points of Interest: Classification 

New Malware Developments 
■ POS-specific malware 



Requires POS-specific 
knowledge 



POS Malware Highlight Case 



Encryption algo/key 
identified 



Decrypted and 
extracted the data 




Memory 
Dumper 

45% 



Malware Statistics 



Data Points of Interest: Anti-Forensics Capability 



Main Themes 

■ More anti-forensic features 

■ Primarily to avoid DLP/IDS 

■ Memory data storage 

■ Obfuscation 

Malware analysis skills are now a 
must for investigators 



Mac Time Modifications 4 



Encode/on crypl 

27% 




22% 



Memory Parsers 




Software application that monitors the 

RAM being used by a process 

Uses regular expressions or some other 

filtering technique to look for 

information 

Either stores this information on disk 

for an attacker to access later, or 

exfiltrates this data directly 



Keystroke Loggers 



Intercepts data as it is being entered into the computer 

For example - a keyboard, barcode scanner, USB card reader or 

touch screen 

Either stores this information on disk for an attacker to access 

later, or exfiltrates this data directly 



1 1 ill 



Network Sniffers 



Listens to traffic on the network and filters for interesting data 
Needs to have access to interesting network traffic: 
• E.g. be on a central system or a non switched network 




Credentialed Malware 
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Incident Response Investigations 



Payment Card Industry Compliance 



I 
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97% insufficient 
firewall policy 



83% default/ 
guessable password 



48% not using 
PA-DSS application 



Breach Triad - Infiltration, Aggregation, Exfiltration 



Infiltration 



Remote Access 
Application 



Social Engineering 

SQL Injection 

Cniiti:iit Mmi.iycninit Sj^trin Piirlal 
Lc nil i male? Access: Insider 



Unknown 




Breach Triad - Infiltration, Aggregation, Exfiltration 



■ Aggregation 

- Shift away from "smash & 




Hybrid 
7.50/0 




grab" of stored data 
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- Why? 
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1. Less unsafe 




■ 




data being stored 

stored Data J 

■ PCIDSS, 
PA-DSS, OWASP 

2. Card data expires 

■ More complex to 
harvest 


am 

DATA! 
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1 In Transit 

■ 66% 


■ The data is fresh 








■ Worthwhile trade 








off for criminals 








- In-transit attacks and use o1 








custom malware correlate 
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Breach Triad - Infiltration, Aggregation, Exfiltration 



Exfiltration 



4<Vo 



23% 




HTTP 
35% 



FTP 

38% 



Questions? 




Contact Us 



+44(0)845 456 9611 
GSR201 1 ©trustwave.com 
https://www.trustwave.com/spiderlabs 
Twitter: ©SpiderLabs / ©Trustwave 



